Introducing a Security Governance Framework for Cloud Computing

Oscar Rebollo, Daniel Mellado, Eduardo Fernández-Medina


The cloud computing paradigm provides a more efficient way in which to provide IT services, introducing on-demand services and flexible computing resources. The adoption of these cloud services is being hindered by the security issues that arise with this new environment. A global security solution, which deals with the specific particularities of the cloud paradigm, is therefore needed, and literature fails to report on such a solution. As a consequence, in this paper we propose a novel security governance framework focused on the cloud computing environment (ISGcloud). This framework is founded upon two main standards: on the one hand, we implement the core governance principles of the ISO/IEC 38500 governance standard; and on the other hand, we propose a cloud service lifecycle based on the ISO/IEC 27036 outsourcing security draft. The paper includes an overview of the framework and the description of a collection of activities and their related tasks.


  1. Mell, P., Grance, T.: The NIST Definition of Cloud Computing. SP 800-145. National Institute of Standards and Technology (NIST) (2011)
  2. Gartner: Gartner's Hype Cycle for Cloud Computing. (2012)
  3. Chen, Y., Paxson, V., Katz, R.H.: What's New About Cloud Computing Security? University of California, Berkeley (2010)
  4. Hamlen, K., Kantarcioglu, M., Khan, L., Thuraisingham, B.: Security Issues for Cloud Computing. International Journal of Information Security and Privacy 4 (2010) 39-51
  5. Subashini, S., Kavitha, V.: A survey on security issues in service delivery models of cloud computing. Journal of Network and Computer Applications 34 (2011) 1-11
  6. Bisong, A., Rahman, S.S.M.: An overview of the Security Concerns in Enterprise Cloud Computing. International Journal of Network Security & Its Applications (IJNSA) 3 (2011) 30-45
  7. Avanade: Global Survey: Has Cloud Computing Matured? Third Annual Report , June 2011 (2011)
  8. Rosado, D.G., Gómez, R., Mellado, D., Fernández-Medina, E.: Security Analysis in the Migration to Cloud Environments. Future Internet 4 (2012) 469-487
  9. Zhu, Y., Hu, H., Ahn, G.-J., Yau, S. S.: Efficient audit service outsourcing for data integrity in clouds. Journal of Systems and Software 85 (2012) 1083-1095
  10. Mellado, D., Sánchez, L.E., Fernández-Medina, E., Piattini, M.: IT Security Governance Innovations:Theory and Research. IGI Global, USA (2012)
  11. Rong, C., Nguyen, S.T., Jaatun, M. G.: Beyond lightning: A survey on security challenges in cloud computing. Computers and Electrical Engineering 39 (2013) 47-54
  12. Rebollo, O., Mellado, D., Fernández-Medina, E.: A Systematic Review of Information Security Governance Frameworks in the Cloud Computing Environment. Journal of Universal Computer Science 18 (2012) 798-815
  13. Fung, A.R.-W., Farn, K.-J., Lin, A. C.: Paper: a study on the certification of the information security management systems. Computer Standards & Interfaces 25 (2003) 447-461
  14. ISO/IEC: ISO/IEC 38500:2008 Corporate governance of information technology (2008)
  15. Chou, D.C., Chou, A.Y.: Information systems outsourcing life cycle and risks analysis. Computer Standards & Interfaces 31 (2009) 1036-1043
  16. ISO/IEC: ISO/IEC 27036 - IT Security - Security techniques - Information security for supplier relationships (draft)
  17. ITGI: Control Objectives for Information and related Technology (COBIT 5) (2012)
  18. ISO/IEC: ISO/IEC 27001:2005 Information technology - Security techniques - Information security management systems - Requirements (2005)
  19. Rebollo, O., Mellado, D., Sánchez, L.E., Fernández-Medina, E.: Comparative Analysis of Information Security Governance Frameworks: A Public Sector Approach. The Proceedings of the11th European Conference on eGovernment - ECEG 2011, Ljubljana, Slovenia (2011) 482-490
  20. Solms, S.H.v., Solms, R.v.: Information Security Governance. Springer (2009)
  21. Rebollo, O., Mellado, D., Fernández-Medina, E.: A Comparative Review of Cloud Security Proposals with ISO/IEC 27002. Proceedings of the 8th International Workshop on Security in Information Systems - WOSIS 2011, Beijing, China (2011) 3-12
  22. Cloud Security Alliance: Security Guidance for Critical Areas of Focus in Cloud Computing V3. (2011)
  23. Catteddu, D., Hogben, G.: Cloud Computing Security Risk Assessment - Benefits, risks and recommendations for information security. European Network and Information Security Agency (ENISA) (2009)
  24. ISACA: IT Control Objectives for Cloud Computing. (2011)
  25. Solms, R.v., Solms, S. H. B.v.: Information Security Governance: A model based on the Direct-Control Cycle. Computers & Security 25 (2006) 408-412
  26. Allen, J.H., Westby, J. R.: Governing for Enterprise Security Implementation Guide. Software Engineering Institute - CERT (2007)
  27. Miller, J., Candler, L., Wald, H.: Information Security Governance - Government Considerations for the Cloud Computing Environment. Booz Allen Hamilton (2009)
  28. OMG: Software & Systems Process Engineering Meta-Model Specification v.2.0. (2008)

Paper Citation

in Harvard Style

Rebollo O., Mellado D. and Fernández-Medina E. (2013). Introducing a Security Governance Framework for Cloud Computing . In Proceedings of the 10th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2013) ISBN 978-989-8565-64-8, pages 24-33. DOI: 10.5220/0004601400240033

in Bibtex Style

author={Oscar Rebollo and Daniel Mellado and Eduardo Fernández-Medina},
title={Introducing a Security Governance Framework for Cloud Computing},
booktitle={Proceedings of the 10th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2013)},

in EndNote Style

JO - Proceedings of the 10th International Workshop on Security in Information Systems - Volume 1: WOSIS, (ICEIS 2013)
TI - Introducing a Security Governance Framework for Cloud Computing
SN - 978-989-8565-64-8
AU - Rebollo O.
AU - Mellado D.
AU - Fernández-Medina E.
PY - 2013
SP - 24
EP - 33
DO - 10.5220/0004601400240033